WASHINGTON - A bipartisan group of senators are criticizing the State Department for failing to meet what they say are basic federal cybersecurity standards - even neglecting to equip employees with multi-factor authentication that could protect them from the types of phishing attacks that Russian hackers have used to target political campaigns.

In a letter sent Tuesday to Secretary of State Mike Pompeo, the lawmakers pointed to recent reports showing the department lagged behind other federal agencies in safeguarding itself from cyberthreats. They specifically called on the State Department to roll out multi-factor authentication, or MFA, across its networks, saying a "password-only approach is no longer sufficient to protect sensitive information from sophisticated phishing attempts and other forms of credential theft."

"Two-factor authentication is cybersecurity 101," Sen. Ron Wyden, D-Ore., one of the letter's authors, told me in an email. "Effective diplomacy depends on being able to keep certain things secret from other governments, especially during sensitive negotiations. If State can't secure their emails from hackers, it will undermine their ability to function as the foreign policy arm of the U.S. government."

The letter was also signed by Sens. Cory Gardner, R-Colo., Rand Paul, R-Ky., ED Markey, D-Mass., and Jeanne Shaheen, D-N.H.

The State Department's apparent inability to adopt relatively low-hanging security practices highlights the Trump administration's struggles to make good on promises to improve cybersecurity across federal agencies. Wednesday's letter reflects frustration among lawmakers at the lack of progress, even after President Donald Trump himself pledged in his sweeping cybersecurity executive order last year to hold agency heads accountable for boosting their defenses against digital threats.

Multi-factor authentication, in particular, is a basic defense that can have a huge impact as nation states or criminals may be targeting diplomats or other U.S. interests at home and overseas. It adds a layer of security that experts say is essential for guarding against phishing attacks, which involving posing as a trusted source to gain access to private information. Russian hackers used the technique to infiltrate Democratic organizations during the 2016 election and have used it to target several candidates ahead of the November midterms.

The State Department has deployed special security controls such as multi-factor authentication on just 11 percent of required agency devices, according to the lawmakers' letter. This not only puts the department at risk, the senators wrote - it also violates the Federal Cybersecurity Enhancement Act, a 2015 law that requires agencies to use multi-factor authentication for all accounts with "elevated privileges," meaning accounts used by people who have administrative duties on a computer network.

"While certainly not a silver bullet, MFA is a simple step that makes it significantly harder for foreign governments or criminals to access accounts," the lawmakers wrote. "We are sure you will agree on the need to protect American diplomacy from cyberattacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA."

And the problems didn't end there, the lawmakers said. The letter noted that the White House recently deemed the State Department's cyber readiness "high risk." The lawmakers also pointed to a report by the department's watchdog from last year that found that a third of diplomatic missions didn't conduct "even the most basic" cyberthreat management practices, such as regular reviews and audits of information systems to check for unusual activity. They called on the department to explain what steps it has taken to address these issues and to turn over three years' worth of statistics detailing cyberattacks against State Department systems outside the United States.

A department spokesperson declined to comment on the specifics of the letter. "All Congressional correspondence to the Department is carefully reviewed before an appropriate response is provided," the spokesperson said.

The State Department isn't the only agency with subpar cybersecurity practices - not by a long shot. Earlier this year, the Office of Management and Budget found that nearly three-quarters of federal agencies are ill equipped to deal with intrusions into their networks. In a government-wide cybersecurity review, OMB concluded that 71 of the 96 agencies it examined were relying on cybersecurity programs that were deemed "at risk or high risk." On top of that, the Government Accountability Office revealed in July that agencies throughout government hadn't implemented hundreds of GAO recommendations to shore up their cyberdefenses. Even the watchdog for the National Security Agency, which is tasked with defending the country's communications systems, recently hammered the agency for failing to protect data stored on its networks.

It's not clear what the Trump administration intends to do to respond to the pressure to bring federal cybersecurity up to speed. There is no obvious person in the White House to shepherd a major overhaul. The likely choice, former cybersecurity coordinator Rob Joyce, returned to the National Security Agency over the summer, and the White House has no plans to replace him.